Adobe Social Security Overview

Adobe Social Security Overview Adobe Security At Adobe, we take the security of your digital assets seriously. From our rigorous integration of security into our internal software development process and
of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Adobe Social Security Overview Adobe Security At Adobe, we take the security of your digital assets seriously. From our rigorous integration of security into our internal software development process and tools to our cross-functional incident response teams, we strive to be proactive and nimble. What s more, our collaborative work with partners, researchers, and other industry organizations helps us understand the latest threats and security best practices, as well as continually build security into the products and services we offer. This white paper describes the proactive approach and procedures implemented by Adobe to help increase the security of your data and Adobe Social experience. Table of Contents 1 Adobe Security 1 About Adobe Social 1 Adobe Social Application Architecture 2 Adobe Social Application Security and Network Architecture 3 User Authentication via Adobe Marketing Cloud 4 Adobe Social Hosted Data Centers 4 Adobe Social Network Management 6 Adobe Social Administrative Security Features 7 Adobe Social Moderation Component Hosting 7 Operational Responsibilities of AWS and Adobe 7 Secure Management 8 About Amazon Web Services (AWS) 9 The Adobe Security Organization 10 Adobe Secure Product Development 11 Adobe Security Training 11 Adobe Common Controls Framework 11 Adobe Risk & Vulnerability Management 12 Adobe Corporate Locations 13 Adobe Employees 14 Conclusion About Adobe Social Adobe Social is a social management platform that ties data to your bottom line. A part of the Adobe Marketing Cloud suite of services, Adobe Social goes beyond just likes and follows to manage the deep relationship between your customers sentiments and your business goals. With Adobe Social, you can monitor and moderate conversations, publish and promote content, and analyze engagement and conversion data in a single, mobile-friendly interface. What s more, Adobe Social lets you truly measure the impact of your social content by automatically attaching tracking codes to each piece of content, enabling you to identify what activities drive engagement and conversion. And with integration with other Adobe Marketing Cloud services, you can use these social insights to improve targeting strategies and optimize the customer experience. Adobe Social Application Architecture The Adobe Social solution includes four (4) components: Listening: Collects and categorizes public and private social data. The Listening component collects social data through the Twitter API and directly from other social networks (including Facebook, Google+, YouTube, LinkedIn, and Sina Weibo) and then sends all collected data through a categorization engine. This engine checks for spam, categorizes emotion, determines language, categorizes sentiment, and adds geographic data. The categorized data is then stored where it can be accessed by other systems via API calls and, when appropriate, sent to Adobe Analytics and other data sources for reporting purposes. Publishing: Proactively publishes social network communications, such as Facebook posts, Twitter tweets, Google+ content, YouTube videos, LinkedIn post, and Sina Weibo posts either immediately or on a customer-defined schedule. The Publishing component tracks incoming social data against published content and any other content that has been specifically configured for tracking by the customer. Security and group management allow different users of an organization to be set up with different roles within a social network. Other functionality includes reports and dashboards, as well as a URL shortening service. All social content is provided in a single application, which handles authentication, navigation, and the framework UI. Moderation: Enables the customer s social community manager to react to social data, develop a social data feed based on specific filters, and interact with the company s consumers or users on all defined social feeds. The social community manager can view, reply, retweet, escalate, prioritize, mark as spam, and star any social interactions that come in through the defined feeds. Additionally, the manager can pull up additional user profile information to add comments and store internally. Social Analytics: Collects, processes, and reports insights and metrics related to social content. Social content is composed of user-generated content (e.g., Tweets and posts by consumers or users of the brand) and owned content (e.g., Tweets and posts generated by the brand itself). Adobe Social tracks three (3) types of analytics: Property Analytics Includes insights related to Facebook pages, Twitter handles, YouTube channels, LinkedIn profiles, Google+ pages, Sina Weibo handles (i.e., properties owned by the Adobe customer); Post Analytics Allows the customer to view and report on insights based on posts originating from customer-owned social properties; and Social Buzz Creates a report based on customer-defined terms, including graphs, posts, tracked terms, and mentions by platform and by geography. By default, the report shows data for the last 12 hours, but this timeframe can be changed by the customer. Adobe Social maintains 30 days of verbatim posts. Data from Social Buzz can also be sent to Adobe Analytics for deeper analysis and reporting. Feed Data & Config Customer User Interface Social Data Store Publishing Content & Reports Moderation Reactive Responses Create Feeds Escalation Workflow Dashboard Overview Manage Feed Rules Auto-Delete Listening Collect & Categorize Public Data Collection Data Processing Data Categorization Data Storage Publishing Scheduled Publishing Real-time Publishing Publishing Approval Workflows Content Calendar Analytics Social Buzz Post Analytics Property Analytics Adobe Analytics Integration External Social Platform Data Figure 1: The Adobe Social product architecture and data flow Adobe Social Application Security and Network Architecture Adobe Social Data Flow Adobe Social collects social content in two primary ways: It collects Twitter public content via GNIP and other social network content (e.g., Facebook, LinkedIn, YouTube, Google+, and Sina Weibo) directly via API calls. Adobe Social collects the raw data from each social network and pushes this data into a queuing system for internal processing on Adobe servers. All content deemed to come from social properties owned by the Adobe customer (the customer s Facebook account or Twitter handle, for example) is also sent to Adobe Analytics. 2 After collecting the social content, the Listening component sends all data through a categorization engine, which checks for spam, categorizes emotion, determines language, categorizes sentiment, and adds geographic data. The content is then stored in an Adobe Social database on one of Adobe s servers. If the content is determined to be customer-owned, it is sent via HTTPS API endpoints to Adobe Analytics for further analysis and reporting. The data is sent to the specific data center to which the customer is assigned based on Adobe Analytics. The Publishing component of Adobe Social enables customers to create, schedule, and publish social content from a single dashboard. The customer creates the schedule and workflow (e.g., author and approver) in the component s user interface. These schedules and workflows are synced to the Adobe Social servers. When a scheduled submission is ready for posting, the server sends the selected content to the Publishing back end, which then publishes the content to the selected social network. The URL shortening service within Adobe Social launches when a user clicks a shortened URL. The long URL includes the Adobe Analytics Campaign ID and redirects the user to the actual customer website. The customer website then forwards the included Campaign ID and data directly to Adobe Analytics for tracking and metrics. The Moderation component pulls social content from the Social database as well as receives Twitter Direct Messages and profile information directly from Twitter APIs. Social content is pulled based on listening rules defined by the customer. The Moderation component can also communicate back to Twitter and update the Social database with events and information. As social content comes in, it is filtered based on the defined feed criteria and is stored in the database. Customers view their social feeds through the Moderation UI, which allows them to engage with users and take action such as reply, retweet, etc. on certain feed events, which are either sent back via the Twitter API (for immediate posting) or pushed into the Publishing component (for scheduled posting). User Authentication via Adobe Marketing Cloud Access to Adobe Social requires authentication with username and password. For users accessing Adobe Social using Adobe IDs, Adobe leverages the SHA 256 hash algorithm in combination with password salts and a large number of hash iterations. We continually work with our development teams to implement new protections based on evolving authentication standards. Users can access Adobe Social in one of three (3) different types of user-named licensing: Adobe ID is for Adobe-hosted, user-managed accounts that are created, owned, and controlled by individual users. Enterprise ID is an Adobe-hosted, enterprise-managed option for accounts that are created and controlled by IT administrators from the customer enterprise organization. While the organization owns and manages the user accounts and all associated assets, Adobe hosts the Enterprise ID and performs authentication. Admins can revoke access to Adobe Campaign by taking over the account or by deleting the Enterprise ID to permanently block access to associated data. Federated ID is an enterprise-managed account where all identity profiles as well as all associated assets are provided by the customer s Single Sign-On (SSO) identity management system and are created, owned, controlled by the customer s IT department. Adobe integrates with most any SAML2.0 compliant identity provider. Application and service entitlement is accomplished through the Adobe Enterprise Dashboard. More information on the dashboard is available here: aedash.html For more information on specialized methods for accessing Adobe Social data and reporting via approved applications, please refer to the product documentation at resources/help/en_us/sc/user/home.html 3 Adobe Social Hosted Data Centers The Listening and Publishing components of the Adobe Social solution are hosted on Adobe servers in six (6) data centers around the world. The Moderation component is hosted in Amazon Web Services (AWS). For information on AWS security controls that impact the Moderation component, please see the section entitled, Adobe Social Moderation Component Hosting. Oakland (OAK1) Customer Social Media APIs Singapore (SIN2) Social Analytics Social Analytics Context Opt Context Opt TBD BAG, Cassandra BAG, Cassandra Oregon (OR1) Social Analytics Context Opt Both TBD AWS US West Social Moderation 1. Customers interact with the Backend Agnostic Gateway at a specific location to create, update, and view data in the data centers 2. Social Media APIs retrieve and update data across Social Media Platforms based on customer input Dallas (DA2) Social Analytics Context Opt TBD BAG, Cassandra London (LON5) Social Analytics Context Opt TBD BAG, Cassandra Figure 2: The Adobe Social network Geographic Location of Customer Data on the Data Center Network Adobe stores all Adobe Social customer data in data centers located closest to the customer s geographic location. Adobe Social Network Management Because of the data collection, data content serving, and reporting activities conducted over the Adobe Social network, the security of the network is important to us. To this end, the network architecture implements industry standard practices for security design, including segmentation of development and production environments, DMZ segments, hardened bastion hosts, and unique authentication. Segregating Client Data Data is placed into separate databases (report suites), and a single client s site reports are grouped together on one or more servers. In some cases, more than one client may share a server, but the data is segmented into separate databases. The only access to these servers and databases is via the Social application. All other access to the application and data servers is made only by authorized Adobe personnel at the request of a customer due to a reported issue, and when necessary is conducted via encrypted channels. We separate our testing environments from our production environments, and we do not use customer data in testing environments unless specifically granted permissions by the customer. 4 Secure Management Adobe deploys dedicated network connections from our corporate offices to our data center facilities in order to help enable secure management of the Adobe Social servers. All management connections to the servers occur over encrypted Secure Shell (SSH), Secure Sockets Layer (SSL), or Virtual Private Network (VPN) channels and remote access always requires two-factor authentication. Unless the connection originates from a list of trusted IP addresses, Adobe does not allow management access from the Internet. Firewalls and Load Balancers The firewalls implemented on the Adobe Social network deny all Internet connections except those to allowed ports, Port 80 for HTTP and Port 443 for HTTPS. The firewalls also perform Network Address Translation (NAT). NAT masks the true IP address of a server from the client connecting to it. The load balancers proxy incoming HTTP/HTTPS connections and also distribute requests that enable the network to handle momentary load spikes. Adobe implements fully redundant firewalls and load balancers, reducing the possibility that a single device failure can disrupt the flow of traffic. Non-routable, Private Addressing Adobe maintains servers containing customer data on servers with non-routable IP addresses (RFC 1918). These private addresses, combined with the Adobe Social firewalls and NAT, help prevent an individual server on the network from being directly addressed from the Internet, greatly reducing the potential vectors of attack. Intrusion Detection Adobe deploys Intrusion Detection System (IDS) sensors at critical points in the Adobe Social network to detect and alert our security team to unauthorized attempts to access the network. The security team follows up on intrusion notifications by validating the alert and inspecting the targeted platform for any sign of compromise. Adobe regularly updates sensors and monitors them for proper operation. Service Monitoring Adobe monitors its servers, routers, switches, load balancers, and other critical network equipment on the Adobe Social network 24 hours a day, 7 days a week, 365 days a year (24x7x365). The Adobe Network Operations Center (NOC) receives notifications from the various monitoring systems and will immediately attempt to fix an issue or escalate the issue to the appropriate Adobe personnel. Additionally, Adobe uses multiples other services and tools to perform external monitoring. Change Management Adobe uses a change management tool to schedule modifications, helping to increase communication between teams that share resource dependencies and inform relevant parties of pending changes. In addition, Adobe uses the change management tool to schedule maintenance blackouts that try to avoid periods of high network traffic. Patch Management In order to automate patch distribution to host computers within the Adobe Social organization, Adobe uses internal patch and package repositories as well as industry-standard patch and configuration management. Depending on the role of the host and the criticality of pending patches, Adobe distributes patches to hosts at deployment and on a regular patch schedule. If required, Adobe releases and deploys emergency patch releases on short notice. Access Auditing Only authorized users can access administrative tools. In addition, Adobe logs all Adobe Social production server access attempts for auditing. 5 Logging In order to help protect against unauthorized access and modification, Adobe captures network logs, OS-related logs, and intrusion detections. Sufficient storage capacity for logs is identified, periodically reviewed, and, as needed, expanded to help ensure that log storage is not exceed. Systems generating logs are hardened and access to logs and logging software is restricted to authorized Adobe Digital Marketing Information Security Team personnel. Adobe retains raw logs for one year. Adobe Social Administrative Security Features Adobe Social enables administrators to control access to reporting data. Options include strong passwords, password expiration, IP login restrictions, and domain restrictions. For more information, please go to manager.html Adobe Data Center Physical and Environmental Controls The below description of data center physical and environmental access controls includes controls that are common to all Adobe data center locations. Some data centers may have additional controls to supplement those described in this document. Physical Facility Security Adobe physically controls access to all hardware in Adobe-owned or -leased hosting facilities against unauthorized access. All facilities that contain production servers for the Adobe Social include dedicated, 24-hour on-site security personnel and require these individuals to have valid credentials to enter the facility. Adobe requires PIN or badge credentials and, in some cases, both for authorized access to data centers. Only individuals on the approved access list can enter the facility. Some facilities include the use of man-traps, which prevent unauthorized individuals from tailgating authorized individuals into the facility. Fire Suppression All data center facilities must employ an air-sampling, fast-response smoke detector system that alerts facility personnel at the first sign of a fire. In addition, each facility must install a pre-action, dry-pipe sprinkler system with double interlock to help ensure no water is released into a server area without the activation of a smoke detector and the presence of heat. Controlled Environment Every data center facility includes an environmentally controlled environment, including temperature humidity control and fluid detection. Adobe requires a completely redundant heating, ventilation and air conditioning (HVAC) system and 24x7x365 facility teams to handle any environmental issue that might arise. If the environmental parameters move outside those defined by Adobe, environmental monitors alert both Adobe and the facility s Network Operations Center (NOC). Video Surveillance All facilities that contain production servers for Adobe Social must provide video surveillance to monitor entry and exit point access, at a minimum. Adobe asks that data center facilities also monitor physical access to equipment. Adobe may review video logs when issues or concerns arise in order to determine access. Backup Power Multiple power feeds from independent power distribution units help ensure continuous power delivery at Adobe-owned or Adobe-leased data center facilitites. Adobe also requires automatic transition from primary to backup power and that this transition occurs in a way that helps mitigate potential service interruption. Adobe requires each data center facility to provide redundancy at every level, including generators and diesel fuel contracts. Additionally, each facility must conduct regular testing of its generators under load to ensure availability of equipment. 6 Disaster Recovery In the event that one of our data collection environments are unavailable due to an event, whether a problem at the facility, a local sit
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks